All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

We have a total of five search heads, and while four of them are successfully executing the curl command, one search head is encountering an SSL error, specifically a SSLError with a curl status of 4... See more...
We have a total of five search heads, and while four of them are successfully executing the curl command, one search head is encountering an SSL error, specifically a SSLError with a curl status of 408.  HTTPSConnectionPool(host='localhost', port=8801): Max retries exceeded with url: /servicesNS/nobody/alert/saved/searches/alert/acl (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)'))) what is the  next steps to identify and resolve the root cause of this SSL error. 
Thanks! This is using Dashboard Studio. The input is currently via a multiselect dropdown. Ultimately the goal of this dashboard is for the user to be able to select one or more values from the dro... See more...
Thanks! This is using Dashboard Studio. The input is currently via a multiselect dropdown. Ultimately the goal of this dashboard is for the user to be able to select one or more values from the dropdown, and be presented with corresponding results from queries to two separate indices. The challenge is that one index has hostnames stored as fqdn, and the other the host by itself.   I've also wondered if it might be a better approach for the drop-down values to include the domain, and then somehow strip it back out in the query against the index that doesn't need it?  
Hi @rwheeloc  Are you using Classic Dashboards or Dashboard Studio dashboards? In classic you should be able to add the rest of the domain to the "Token Value Suffix" section of the input. In Dash... See more...
Hi @rwheeloc  Are you using Classic Dashboards or Dashboard Studio dashboards? In classic you should be able to add the rest of the domain to the "Token Value Suffix" section of the input. In Dashboard Studio you'd probably need to create another search in a table which is off to the outside of the visible frame, pass the token in and use makeresults to turn it into the string you need, then use the result from that search as the token in your other searches. The other way might be to change it at the point its rendered in the input - are you using a search to generate the token options? Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
I am looking for a way to pull out CLUSTER1 as a single value as there are two other clusters, CLUSTER2 AND CLUSTER3. Thanks
Here are 2 examples of the values for the events:   {"CLUSTER1.COM","viewSiteAsUser.hasAccess":true} {"CLUSTER_VIP":"CLUSTER1.COM"}
I've done a bit of searching and haven't quite found a solution to what I'm trying to accomplish (or I haven't understood the previous solutions). But essentially I'm trying to write an SPL query (f... See more...
I've done a bit of searching and haven't quite found a solution to what I'm trying to accomplish (or I haven't understood the previous solutions). But essentially I'm trying to write an SPL query (for use in a dashboard) that will append a string (domain) to a list of values (hosts) passed by a token prior to processing the search. For example, if the value passed by token $DeviceNames$ is "host1,host2,host3", the goal would be to return results as if the query was equivalent to: hostname IN (host1.domain.com,host2.domain.com,host3.domain.com)  
Sample events are attached.           
Hey Will, Still the exact same error. DO you have a list or checklist of things I should check? Any suggestions on which version of driver should I try? Thanks, Tanvi
Hi @yigaloz, What helped me identify errors in the configuration of this addon was enabling debug logging by editing the file $SPLUNK_HOME/etc/apps/TA-oci-logging-addon/bin/oci_logging.py, changing ... See more...
Hi @yigaloz, What helped me identify errors in the configuration of this addon was enabling debug logging by editing the file $SPLUNK_HOME/etc/apps/TA-oci-logging-addon/bin/oci_logging.py, changing the string ERROR to DEBUG on line 42. Then restart Splunk. You can check the logs using the query: index=_internal source=*oci_logging.log Another possibility would be to install a previous version of the addon, which might work.
Hey @vh, Quite strange behavior. Here I'm using version 1.0.23 of the add-on and 9.2.4 of Splunk Enterprise. You could try installing an earlier version of the add-on, it might work. On Splunkbase... See more...
Hey @vh, Quite strange behavior. Here I'm using version 1.0.23 of the add-on and 9.2.4 of Splunk Enterprise. You could try installing an earlier version of the add-on, it might work. On Splunkbase, the last version that supports only Splunk Enterprise is 1.0.24, that's a good version to try As a last resort, you could have only the heavy forwarder running version 9.2.3 of Splunk with the add-on installed. It would work, but it's not ideal. Let me know if it works
Wow, I hope that is not the case, because that endpoint returns "eai:data" which is the contents of the dashboard, this could contain sensitive information that shouldnt be exposed to people who dont... See more...
Wow, I hope that is not the case, because that endpoint returns "eai:data" which is the contents of the dashboard, this could contain sensitive information that shouldnt be exposed to people who dont have access to it. I'll go away and double check but this would be a big security issue for a number of my customers if that is the case! I'm fairly certain it only returns dashboards you have access to but I will go away and verify!
When you have this kind (big) environment with several serverclasses etc. you should use only conf files with git to manage that environment! With that way your DS wouldn't do anything else than wha... See more...
When you have this kind (big) environment with several serverclasses etc. you should use only conf files with git to manage that environment! With that way your DS wouldn't do anything else than what you tell it to do. PLA1310C_Splunk .conf24 Interactive Workshop this is something you should read.
You shoudn't ever write admin password in clear text in any file (like cron) in any system. You have lost your splunk installation(s) security by that way!!!!
When you have access to use REST you will get also some other information as output than you could really access with GUI (I haven't test it currently). For that reason you see there also other dashb... See more...
When you have access to use REST you will get also some other information as output than you could really access with GUI (I haven't test it currently). For that reason you see there also other dashboards by name even you haven't have access to those. For that reason you must expand all roles which this user have and also check that user have access to apps where those dashboards are. I can test this later on with my lab, but it takes some days before I have time for it.
Hi as you have Cluster Manager as your LM too this this severName is actually your CM's name not only your LM name.  I assume that you are using also e.g. indexer discovery and other stuff on your ... See more...
Hi as you have Cluster Manager as your LM too this this severName is actually your CM's name not only your LM name.  I assume that you are using also e.g. indexer discovery and other stuff on your environment? Is suppose that when you have changed that serverName then all those entities which are connected to your CM could have some issues as there is not existing that serverName what they are expecting. It's hard to say what all those are without deeper look into your environment. r. Ismo
@isoutamo Surely using the REST call to ` | rest splunk_server=local /servicesNS/-/-/data/ui/views Will only return views which the user is able to access, otherwise they wouldnt be returned from t... See more...
@isoutamo Surely using the REST call to ` | rest splunk_server=local /servicesNS/-/-/data/ui/views Will only return views which the user is able to access, otherwise they wouldnt be returned from the API call? The only thing they need to do is exclude themselves from eai:acl.owner if they dont want to see the ones they own | rest splunk_server=local /servicesNS/-/-/data/ui/views | search NOT [| rest /services/authentication/current-context splunk_server=local | fields + username | rename username as eai:acl.owner] | table label eai:acl.owner Or just remove the user-context entirely to see all views they have access to | rest splunk_server=local /servicesNS/-/-/data/ui/views | rename eai:acl.app as App, eai:acl.perms.read as Permissions, title as View, label AS Dashboard | table App Dashboard Unless I have the wrong end of the stick here?! @tkwaller1   
@kiran_panchavat Re setting the sender field, The doc you have linked to states: This value is set by your Splunk Cloud Platform implementation and cannot be changed. Entering a value in this field ... See more...
@kiran_panchavat Re setting the sender field, The doc you have linked to states: This value is set by your Splunk Cloud Platform implementation and cannot be changed. Entering a value in this field has no effect.  
Hi @Alan_Chan  The short answer is No. It is not possible to change the sender address of emails in Splunk Cloud using native functionality. Regarding the "Send email as" setting in Server Setting... See more...
Hi @Alan_Chan  The short answer is No. It is not possible to change the sender address of emails in Splunk Cloud using native functionality. Regarding the "Send email as" setting in Server Settings-> Email Settings - The docs state: This value is set by your Splunk Cloud Platform implementation and cannot be changed. Entering a value in this field has no effect. https://docs.splunk.com/Documentation/Splunk/9.3.2/Alert/Emailnotification#Steps_for_Splunk_Cloud_Platform:~:text=This%20value%20is%20set%20by%20your%20Splunk%20Cloud%20Platform%20implementation%20and%20cannot%20be%20changed.%20Entering%20a%20value%20in%20this%20field%20has%20no%20effect. Even if you could change this, the emails are sent from Splunk's email provider and would not match the anti-spam configurations of your own domain, thus mail relays would likely block it anyway. Depending on the type of emails you wanted to send (e.g. Alerts rather than PDF reports) you could look at other options like using AWS SNS or something like an Office 365 / Azure Alert action to send using your O365 creds however I believe output SMTP from SplunkCloud is blocked so you would need to use something with an API call and you could not substitute this for all email sending actions from Splunk Cloud. Sorry it wasnt the answer you were looking for, but hopefully this helps you avoid going down other rabbit-holes! Please let me know how you get on and consider adding karma to this or any other answer if it has helped. Regards Will
Have you any sample events which you can share with us? If yes, then anonymous those if/as needed.
Shortly: You must 1st expand all roles which that user has. Don't forget expand also inherited roles Then you must look in which apps user have read access by any of his/her roles And last look w... See more...
Shortly: You must 1st expand all roles which that user has. Don't forget expand also inherited roles Then you must look in which apps user have read access by any of his/her roles And last look which views under those apps have read access for any roles what has applied for that user. eai:acl.perms.read admin sc_admin   I think that you could found some answers which give SPL for item 1. But I haven't look/done those 2 and 3. So maybe you can found those or not? r. Ismo